1 Reply Latest reply on Jan 6, 2006 3:33 AM by Ashwin Kumar Karkala

    EJB security issue with remote client

    Frank LaRosa Newbie

      I'm trying to set up a security restriction on an EJB's methods, but I'm running into a couple of confusing problems.

      The first problem is that my client is able to connect to the server and call the EJB methods freely, regardless of what kind of security I try to assign to the methods; for example:

      <security-role>
      <role-name>DataImporter</role-name>
      </security-role>

      <method-permission>
      <role-name>DataImporter</role-name>

      <ejb-name>DataServices</ejb-name>
      <method-name>*</method-name>

      </method-permission>

      The second problem is that my client can connect to JBoss, get a reference to this EJB and call its methods without providing any authentication at all; or even if it provides completely bogus authentication:

      Hashtable ht = new Hashtable();
      ht.put(Context.INITIAL_CONTEXT_FACTORY, "org.jnp.interfaces.NamingContextFactory");
      ht.put(Context.PROVIDER_URL, args[0]);
      ht.put(Context.URL_PKG_PREFIXES, "org.jboss.naming:org.jnp.interfaces" );
      ht.put(Context.SECURITY_PRINCIPAL, "garbage");
      ht.put(Context.SECURITY_CREDENTIALS, "moregarbage");

      DataServicesHome home =
      (DataServicesHome) (new InitialContext(ht)).lookup(DataServicesHome.JNDI_NAME);
      dataServices = home.create();
      dataServices.addOrUpdateCategory(null);

      I don't understand why this code is allowed to even connect to JBoss at all, let alone execute a security-protected method. (It runs with no exception).

      The third problem is that while I am aware that the role name I define in my ejb-jar.xml file is not the same as the role names defined in my roles.properties file, I have not found any information as to how to create an association between the two.

      Thanks for your help.